HECVAT Category
Vulnerability Management
Vulnerability Management covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Are your systems and applications scanned with an authenticated user account for vulnerabilities (that are remediated) prior to new releases?
This question is asking whether your organization performs authenticated vulnerability scanning on systems and applications before releasing new versions.
Will you provide results of application and system vulnerability scans to the institution?
This question is asking whether your organization will share the results of vulnerability scans performed on your applications and systems with the institution (the customer or client).
Will you allow the institution to perform its own vulnerability testing and/or scanning of your systems and/or application, provided that testing is performed at a mutually agreed upon time and date?
This question is asking whether your organization will permit the institution (the customer) to conduct their own vulnerability testing or scanning against your systems or applications.
Have your systems and applications had a third-party security assessment completed in the last year?
This question is asking whether your organization has engaged an independent third party to evaluate the security of your systems and applications within the past 12 months. A third-party security assessment is when an external company or consultant (not affiliated with your organization) conducts a comprehensive review of your IT environment to identify security vulnerabilities, weaknesses, or compliance gaps.
Do you regularly scan for common web application security vulnerabilities (e.g., SQL injection, XSS, XSRF, etc.)?
This question is asking whether your organization regularly conducts security scans specifically targeting common web application vulnerabilities. These vulnerabilities include:
Are your systems and applications regularly scanned externally for vulnerabilities?
This question asks whether your organization conducts regular external vulnerability scans on your systems and applications. External vulnerability scanning involves using automated tools to examine your internet-facing assets (websites, servers, cloud resources, etc.) from outside your network to identify security weaknesses that could be exploited by attackers.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
